Fact or fiction? The truth about the Windows and Office hacks
It’s been a crazy week. Last Monday we learned about the Word zero-day vulnerability that uses a booby-trapped Word document attached to an email message to infect Windows PCs. Then, on Friday, came the deluge of Windows exploits collectively identified with their leaker, Shadow Brokers, that appear to originate with the U.S. National Security Agency.
In both cases, many of us believed the sky was falling on Windows: The exploits touch all versions of Windows and all versions of Office. Fortunately, the situation isn’t as bad as was first thought. Here’s what you need to know.
How to protect yourself against the Word zero-day
As I explained last Monday, the Word zero-day takes over your PC when you open an infected Word document attached to an email. The attack takes place from inside Word, so it doesn’t matter which email program or even which version of Windows you’re using.
In a twist I’ve never seen before, subsequent research into the exploit revealed it was first used by nation-state attackers but was then incorporated into garden-variety malware. Both Zach Whittaker at ZDnet and Dan Goodin at Ars Technica reported that the exploit was originally used in January to hack Russian targets—but the same code snippet turned up in a Dridex banking malware email campaign from last week. Exploits aimed at the spook set rarely get unleashed on the world at large, but this one did.
In theory, to block the exploit’s path, you have to apply both the appropriate April Office security patch and either the April Monthly Rollup or the April Security-only patch. That’s a big problem for a lot of folks because the April patches—210 security patches, 644 in all—are causing all sorts of mayhem.
But be of good cheer. I’m seeing verification from all over the web—including my own AskWoody Lounge—that you can avoid infection by sticking with Word’s Protected View mode (in Word, choose File > Options > Trust Center > Trust Center Settings and select Protected View).
With Protected View enabled, you get a button called Enable Editing that lets you edit the opened Word file. You would do that only for a Word document you trust, because if you click Enable Editing for an infected word file, the malware fires automatically. Still, Protected View stops Word from automatically opening all Word files for editing, so you have a chance to review the document in read-only mode before deciding whether it is safe.
By default, Word’s Protected View opens documents in read-only mode, so malware won’t run. Click the Enable Editing button to edit the file—but only if you’re sure it’s safe.
As Chris Hoffman explains in this How-To Geek article, you also want to disable macros from running by default. Do that by choosing File > Options > Trust Center > Trust Center Settings > Macro Settings, then selecting “Disable macros with notification.” If you then edit a document that has macros, you’ll get a warning and the Enable Content option. Again, if you’re sure the file is safe, run the macro by clicking Enable Content, but be clear that if the file is infected, doing so will run the malware.
You can be even safer by not using Word for Windows to edit a file you suspect may be infected. Instead, edit it in Google Docs, Word Online, Word for iOS or Android, OpenOffice, or Apple Pages. (Many malware apps won’t infect a Mac, but Mac Word is susceptible to macro malware.)
Shadow Brokers’ Windows exploits were already patched
The NSA-derived Windows hacks that Shadow Brokers hacks released last Friday originally seemed to harbor all sorts of zero-day vulnerabilities across all versions of Windows. As the weekend wore on, we found that wasn’t even close to the truth.
It turns out that Microsoft had already patched Windows, so currently supported versions of Windows are (nearly) immune. In other words, the MS17-010 patch released last month fixes nearly all the exploits in Windows Vista and later. But Windows NT and XP users won’t get any fixes because their Windows versions are no longer supported; if you run NT or XP, you are vulnerable to the CIA hacks Shadow Brokers unveiled.
Bottom line: If you have last month’s MS17-010 patch installed, you’re fine. According to the KB 4013389 article, that includes any of these KB numbers:
- 4012598 MS17-010: Description of the security update for Windows SMB Server; March 14, 2017
- 4012216 March 2017 Security Monthly Quality Rollup for Windows 8.1 and Windows Server 2012 R2
- 4012213 March 2017 Security Only Quality Update for Windows 8.1 and Windows Server 2012 R2
- 4012217 March 2017 Security Monthly Quality Rollup for Windows Server 2012
- 4012214 March 2017 Security Only Quality Update for Windows Server 2012
- 4012215 March 2017 Security Monthly Quality Rollup for Windows 7 SP1 and Windows Server 2008 R2 SP1
- 4012212 March 2017 Security Only Quality Update for Windows 7 SP1 and Windows Server 2008 R2 SP1
- 4013429 March 13, 2017—KB4013429 (OS Build 933)
- 4012606 March 14, 2017—KB4012606 (OS Build 17312)
- 4013198 March 14, 2017—KB4013198 (OS Build 830)
Microsoft says three exploits are unpatched in Vista and in Exchange 2007 or earlier: EnglishmanDentist, EsteemAudit, and ExplodingCannone. It suggests you update to Windows 7 or later and Exchange 2010 or later to protect yourself against those exploits.
(The same situation was true of the CIA’s iOS and Android hacks that Shadow Brokers earlier released: Apple and Google had previously patched them. Clearly, Shadow Brokers got old data from its federal intrusions.)
Discussion and conjecture continues on the AskWoody Lounge.